b"January 2007\nReport No. 07-003\n\n\nThe FDIC\xe2\x80\x99s Compliance With Section 522 of\nthe Consolidated Appropriations Act, 2005\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                              Report No. 07-003\n                                                                                                  January 2007\n\n\n                                        The FDIC\xe2\x80\x99s Compliance With Section 522 of the\n                                        Consolidated Appropriations Act, 2005\n                                        Results of Audit\nBackground and                          The FDIC has established a corporate-wide privacy program to protect\nPurpose of Audit                        the IIF it manages from unauthorized disclosure and ensure its\n                                        appropriate use consistent with section 522. Of particular note, the\nThe Federal Deposit Insurance\n                                        FDIC has appointed a Chief Privacy Officer (CPO) with overall\nCorporation (FDIC) Office of\nInspector General (OIG) contracted      responsibility for the FDIC\xe2\x80\x99s privacy program, issued or drafted\nwith KPMG LLP (KPMG) to audit           policies and procedures for safeguarding IIF, and posted a privacy\nthe FDIC\xe2\x80\x99s compliance with section      statement on the FDIC\xe2\x80\x99s public Web site. Additionally, the FDIC has\n522 of the Consolidated                 performed privacy impact assessments (PIA) on its systems identified\nAppropriations Act, 2005 (Division      as containing IIF, completed required Privacy Act-related reviews, and\nH, The Transportation, Treasury,        implemented mandatory Web-based privacy awareness training for its\nIndependent Agencies, and General       employees and contractors. Further, the FDIC was working to\nGovernment Appropriations Act,          complete a number of key initiatives to strengthen its privacy program\n2005) (section 522). Section 522        policies, procedures, and practices and ensure compliance with federal\nrequires, among other things, that      privacy-related statutes, policies, and guidelines.\nagencies establish and implement\ncomprehensive privacy and data\nprotection procedures and have an       Consistent with the intent of section 522, our report identifies areas of\nindependent third-party review          the FDIC\xe2\x80\x99s privacy program warranting continued management\nperformed of their privacy programs     attention and recommends strategies and specific steps that\nand practices.                          management should take to ensure adequate protection of its IIF.\n                                        Specifically, the FDIC can enhance its privacy program by integrating\nIn fulfilling its legislative mandate   its key ongoing and planned program control activities into a formal\nof insuring deposits, supervising       documented plan. In addition, (a) physical security of IIF in hardcopy\nfinancial institutions, and managing    format needed improvement; (b) PIAs posted on the FDIC\xe2\x80\x99s public\nreceiverships, the FDIC creates and     Web site did not always contain sufficient descriptions of the FDIC\xe2\x80\x99s\nacquires a significant amount of        collection or use of IIF; and (c) the FDIC\xe2\x80\x99s System Development Life\ninformation in an identifiable form\n                                        Cycle (SDLC) processes did not address all relevant aspects of privacy,\n(IIF). Such IIF includes names,\naddresses, Social Security numbers,     including the role of privacy officials.\nphone numbers, dates of birth, and\ncredit report information. Much of      Recommendations and Management Response\nthe information managed by the\nFDIC falls within the scope of          KPMG recommended that the CPO:\nseveral statutes and regulations\nintended to protect such information       \xe2\x80\xa2   enhance the FDIC\xe2\x80\x99s privacy program by integrating key\nfrom unauthorized disclosure.                  ongoing and planned program control activities into a formal\n                                               documented plan;\nThe objective of the audit was to          \xe2\x80\xa2   implement additional measures to ensure that IIF is properly\n(1) evaluate the FDIC\xe2\x80\x99s use of IIF             secured;\nand the FDIC\xe2\x80\x99s privacy and data            \xe2\x80\xa2   place additional emphasis on employee and contractor\nprotection procedures and                      awareness to physically safeguard IIF in their custody;\n(2) recommend strategies and\nspecific steps to improve the FDIC\xe2\x80\x99s\n                                           \xe2\x80\xa2   ensure that PIAs posted on the FDIC\xe2\x80\x99s public Web site\nprivacy and data protection                    adequately describe the FDIC\xe2\x80\x99s collection and use of IIF; and\nmanagement practices.                      \xe2\x80\xa2   enhance the FDIC\xe2\x80\x99s SDLC processes to fully address privacy.\n__________________________\nTo view the full report, go to:            The FDIC agreed with the recommendations and is taking\nwww.fdicig.gov/2007reports.asp             responsive actions.\n\x0cFederal Deposit Insurance Corporation                                                                 Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                  Office of Inspector General\n\n\nDATE:                                     January 10, 2007\n\nMEMORANDUM TO:                            Michael E. Bartell\n                                          Chief Privacy Officer,\n                                          Chief Information Officer, and\n                                          Director, Division of Information Technology\n\nFROM:                                     Russell A. Rau [Electronically produced version; original signed\n                                          by Russell A. Rau]\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Compliance With Section 522 of the Consolidated\n                                          Appropriations Act, 2005\n                                          (Report No. 07-003)\n\n\nAttached is a copy of the subject report prepared by KPMG LLP under contract with the Office of\nInspector General. Please refer to the Executive Summary for the overall results of the audit. The\nfirm\xe2\x80\x99s report is presented as Part I of this document.\n\nA summary and evaluation of your response, the response in its entirety, and the status of the\nreport\xe2\x80\x99s recommendations are contained in Part II of this document. Your comments on a draft of\nthis report were responsive to the report\xe2\x80\x99s recommendations. We consider the recommendations to\nbe resolved, but they will remain open until we have determined that agreed-to corrective actions\nhave been completed and are effective.\n\nIf you have any questions concerning the report, please contact Mark F. Mulholland, Director,\nSystems Management and Security Audits, at (703) 562-6316. We appreciate the courtesies\nextended to the audit staff during the assignment.\n\n\nAttachment\n\ncc:        Rack D. Campbell, DIT\n           James H. Angel, Jr., OERM\n\x0c                                               Table of Contents\n\n\n\nPart I:\n\n           Report by KPMG LLP\n           The FDIC\xe2\x80\x99s Compliance With Section 522 of the\n           Consolidated Appropriations Act, 2005 .....................................................................I-1\n\n\nPart II:\n\n           Corporation Comments and OIG Evaluation............................................................ II-1\n\n           Corporation Comments............................................................................................. II-4\n\n           Management Responses to Recommendations......................................................... II-8\n\x0c      Part I\n\nReport by KPMG LLP\n\x0cThe FDIC\xe2\x80\x99s Compliance With Section 522 of the\n    Consolidated Appropriations Act, 2005\n             (Report No. 07-003)\n\n\n              Prepared for the\n    Federal Deposit Insurance Corporation\n       Office of the Inspector General\n\n\n\n              FINAL REPORT\n\n\n\n\n                      Prepared by:\n                       KPMG LLP\n            Advisory Services, Federal Practice\n                   2001 M Street, NW\n                 Washington, DC 20036\n                     (202) 533-3000\n\x0c                                      TABLE OF CONTENTS\n\nINTRODUCTION                                                                                          I-1\nBACKGROUND                                                                                            I-2\nRESULTS OF AUDIT                                                                                      I-5\nSTRATEGY FOR ENHANCING CURRENT PRIVACY PROGRAM EFFORTS                                                I-5\nDETAILED AUDIT RESULTS                                                                                I-8\nPHYSICAL SECURITY OF HARDCOPY IIF                                                                     I-8\nPUBLIC DISCLOSURE OF IIF USAGE                                                                       I-10\nPRIVACY CONSIDERATIONS IN THE SDLC                                                                   I-12\nCORPORATION COMMENTS AND OIG EVALUATION                                                              II-1\nCORPORATION COMMENTS                                                                                 II-4\nMANAGEMENT RESPONSES TO RECOMMENDATIONS                                                              II-8\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                                                        I-15\nAPPENDIX II: LAWS, STANDARDS, POLICIES, AND GUIDELINES                                               I-16\n              PROTECTING PRIVACY-RELATED AND SENSITIVE\n              INFORMATION\nAPPENDIX III: RISK RATINGS                                                                           I-20\nAPPENDIX IV: FDIC PRIVACY PROGRAM INITIATIVES                                                        I-21\nAPPENDIX V: AICPA/CICA PRIVACY FRAMEWORK CONCEPTS                                                    I-22\nFIGURE 1:     AICPA/CICA PRIVACY FRAMEWORK                                                            I-7\nFIGURE 2:     THE FDIC\xe2\x80\x99s PIA PROCESS                                                                 I-11\n\nACRONYMS\nAICPA   American Institute of Certified Public Accountants     PIA    Privacy Impact Assessment\nASA     Application Security Assessment                        PII    Personally Identifiable Information\nCICA    Canadian Institute of Chartered Accountants            RUP\xc2\xae   Rational Unified Process\nCIO     Chief Information Officer                              SDLC   Systems Development Life Cycle\nCPO     Chief Privacy Officer                                  SP     Special Publication\nDSC     Division of Supervision and Consumer Protection        SSN    Social Security Number\nDIT     Division of Information Technology\nDRR     Division of Resolutions and Receiverships\nFDIC    Federal Deposit Insurance Corporation\nFIPS    Federal Information Processing Standards Publication\nPUB\nFISMA   Federal Information Security Management Act\nGAGAS   Generally Accepted Government Auditing Standards\nGPRA    Government Performance and Results Act\nIIF     Information in an Identifiable Form\nISM     Information Security Manager\nIT      Information Technology\nKPMG    KPMG LLP\nNIST    National Institute of Standards and Technology\nOERM    Office of Enterprise Risk Management\nOIG     Office of Inspector General\nOMB     Office of Management and Budget\n\x0cINTRODUCTION\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG)\ncontracted with KPMG LLP (KPMG) to conduct a performance audit of the FDIC\xe2\x80\x99s\ncompliance with section 522 of the Consolidated Appropriations Act, 2005 (section 522).1\nSection 522 requires, among other things, that agencies establish and implement\ncomprehensive privacy and data protection procedures governing the agency\xe2\x80\x99s collection,\nuse, sharing, disclosure, transfer, storage, and security of information in an identifiable form\n(IIF)2 relating to agency employees and the public. Section 522 also requires agency\nInspectors General to contract with an independent third party to review and report on their\nagencies\xe2\x80\x99 privacy programs and practices. The FDIC has determined that section 522 applies\nto the Corporation.\n\nThe objective of the audit was to (1) evaluate the FDIC\xe2\x80\x99s use of IIF and the FDIC\xe2\x80\x99s privacy\nand data protection procedures and (2) recommend strategies and specific steps to improve\nthe FDIC\xe2\x80\x99s privacy and data protection management practices. As part of the audit, we\nfollowed up on privacy-related issues contained in two previously-issued OIG reports.3 We\nconducted our performance audit in accordance with generally accepted government auditing\nstandards (GAGAS) issued by the Comptroller General of the United States. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence that provides a reasonable basis for our findings and conclusions based on our audit\nobjectives. Appendix I describes our objective, scope, and methodology; Appendix II\ncontains brief descriptions of key privacy-related laws, policies, and guidelines and their\napplicability to the FDIC; Appendix III describes the criteria used to assign risk ratings to the\ndetailed findings contained in this report; Appendix IV provides an overview of the FDIC\xe2\x80\x99s\nprivacy program initiatives; and Appendix V presents concepts from the global privacy\nframework developed by the American Institute of Certified Public Accountants (AICPA)\nand Canadian Institute of Chartered Accountants (CICA).\n\n\n\n\n1\n    Section 522 is found in Division H of the Consolidated Appropriations Act, 2005, entitled the Transportation,\n    Treasury, Independent Agencies, and General Government Appropriations Act, 2005. For convenience, we\n    are using \xe2\x80\x9cConsolidated Appropriations Act, 2005\xe2\x80\x9d in the title of this audit and elsewhere in this report.\n2\n    The Office of Management and Budget\xe2\x80\x99s (OMB) Memorandum M-03-22, OMB Guidance for Implementing\n    the Privacy Provisions of the E-Government Act of 2002, defines IIF as information in an information system\n    or an on-line collection that directly identifies an individual (e.g., name, address, Social Security number\n    (SSN), or other identifying code, telephone number, e-mail address, etc.) or by which an agency intends to\n    identify specific individuals in conjunction with other data elements. Our report uses the term IIF when\n    referring to personally identifiable information (PII) to be consistent with section 522. See Appendix II for\n    further information about this definition.\n3\n    The FDIC\xe2\x80\x99s Efforts to Comply with OMB Memorandum M-06-16, Protection of Sensitive Agency Information\n    (Report No. 06-020), dated September 2006; and Response to Privacy Program Information Request in\n    OMB\xe2\x80\x99s Fiscal Year 2006 Reporting Instructions for FISMA and Agency Privacy Management (Report No.\n    06-018), dated September 2006.\n\n\n\n                                                       I-1\n\x0cBACKGROUND\n\nIn fulfilling its legislative mandate of insuring deposits, supervising financial institutions, and\nmanaging receiverships, the FDIC creates and acquires a significant amount of IIF. Such IIF\nincludes names, addresses, SSNs, phone numbers, dates of birth, and credit reports related to\nFDIC employees and contractors and depositors and borrowers at FDIC-insured financial\ninstitutions. Much of the information managed by the FDIC and its contractors falls within\nthe scope of several statutes and regulations intended to protect such information from\nunauthorized disclosure. These statutes and regulations include section 522; the Privacy Act\nof 1974; section 208 of the E-Government Act of 2002; and Parts 309, Disclosure of\nInformation, and 310, Privacy Act Regulations, of the FDIC\xe2\x80\x99s Rules and Regulations.\nFurther, OMB has issued a number of privacy-related policies and guidelines to federal\ndepartments and agencies aimed at protecting IIF.4 In addition, the FDIC has developed\ninternal policies and procedures to safeguard the IIF the Corporation manages.\n\nSection 522 Requirements\n\nEnacted in December 2004, section 522 directs agencies, including the FDIC, to implement a\nnumber of measures to protect IIF. Such measures include:\n\n      \xe2\x80\xa2   Appointing a Chief Privacy Officer (CPO) to assume primary responsibility for\n          agency privacy and data protection policy.\n      \xe2\x80\xa2   Establishing and implementing comprehensive privacy and data protection\n          procedures governing the collection, use, sharing, disclosure, transfer, storage, and\n          security of IIF relating to agency employees and the public. Such procedures are to\n          be consistent with legal and regulatory guidance, including OMB regulations; the\n          Privacy Act of 1974; and section 208 of the E-Government Act of 2002.\n      \xe2\x80\xa2   Preparing a written report, signed by the CPO, that provides a benchmark for the\n          agency\xe2\x80\x99s privacy program and describes the agency\xe2\x80\x99s use of IIF, along with its\n          privacy and data protection policies and procedures. The report is to be recorded with\n          the agency Inspector General.\n\nSection 522 also requires agencies to have an independent, third-party review of the agency\xe2\x80\x99s\nuse of IIF to (a) determine the accuracy of the agency\xe2\x80\x99s description of IIF use; (b) determine\nthe effectiveness of privacy and data-protection procedures; (c) ensure compliance with the\nstated privacy and data protection policies of the agency and applicable laws and regulations;\nand (d) ensure that all technologies used to collect, use, store, and disclose IIF allow for\ncontinuous auditing of compliance with stated privacy policies and practices governing the\ncollection, use, and distribution of information in the operation of the program. In general,\nthe review is required to be performed at least every 2 years by a third party with expertise in\nprivacy under the cognizance of the agency Inspector General. Upon completion of the\nreview, the agency Inspector General must submit to the agency head a detailed report that\nincludes recommendations for improvements and enhancements to the agency\xe2\x80\x99s management\n\n\n4\n    See Appendix II for pertinent OMB privacy-related policies and guidelines.\n\n\n\n                                                      I-2\n\x0cof IIF and its privacy and data protection procedures and strategies to improve privacy and\ndata protection management.\n\nThe FDIC\xe2\x80\x99s Privacy Program\n\nThe FDIC has established a corporate-wide privacy program consisting of various policies\nand procedures for managing and protecting its IIF. These include a corporate policy\ndirective governing the collection, maintenance, use, and/or dissemination of records subject\nto the Privacy Act of 1974; procedures for identifying IIF contained in applications;5 and\nprocedures for completing privacy impact assessments (PIA)6 of systems containing IIF. In\nMarch 2005, the FDIC appointed a senior official, the Chief Information Officer (CIO), as\nthe FDIC\xe2\x80\x99s CPO with overall responsibility for the Corporation\xe2\x80\x99s privacy program. The\nFDIC also designated a Privacy Program Manager to support the CPO in developing and\nimplementing corporate privacy requirements. In October 2005, the FDIC implemented\nmandatory annual privacy awareness training for its employees and contractors that includes\nguidance on protecting IIF and coverage of privacy laws, regulations, and policies. In\naddition, the FDIC implemented a privacy program Web site to promote awareness of\nprivacy requirements, policies, and practices and installed shredding bins in its facilities to\nsecurely dispose of sensitive information, including IIF. Further, as required by section 522,\nthe CPO provided a written report to the OIG on September 15, 2005, describing the FDIC\xe2\x80\x99s\nuse of IIF, along with the FDIC\xe2\x80\x99s privacy and data protection policies and procedures.\n\nIn addition, the FDIC is in the process of implementing a number of initiatives aimed at\nstrengthening its privacy program policies, procedures, and practices and ensuring\ncompliance with privacy-related laws and regulations. Of particular note, the FDIC is\nworking to:\n\n      \xe2\x80\xa2   Identify all IIF maintained by the FDIC\xe2\x80\x99s divisions and offices, regardless of where\n          the information is stored (e.g., in network applications; freestanding, limited use, or\n          user-created applications; databases; and network shares). Based on the results of this\n          effort, the Division of Information Technology (DIT) will determine whether\n          additional safeguards are necessary to protect the information and whether public\n          disclosure regarding its collection and use is adequate.\n      \xe2\x80\xa2   Identify all FDIC contractors having custody of privacy-related information, and\n          verify whether appropriate safeguards are in place.\n\n\n\n5\n    The FDIC uses the Application Security Assessment (ASA) document to assess the security of its\n    applications. The ASA includes questions for identifying IIF.\n6\n    A PIA is an analysis of how information is handled to: (1) ensure handling conforms to applicable legal,\n    regulatory, and policy requirements regarding privacy; (2) determine the risks and effects of collecting,\n    maintaining, and disseminating IIF, and (3) examine and evaluate protections and alternative processes for\n    handling information to mitigate potential privacy risks. A PIA is required by the E-Government Act of 2002\n    (as implemented by OMB Memorandum M-03-22) to ensure privacy protections, and the requirements of the\n    Privacy Act of 1974 are considered when developing or procuring new or modified information technology\n    (IT) that contains IIF.\n\n\n\n                                                      I-3\n\x0c      \xe2\x80\xa2   Issue several draft corporate-policy directives related to privacy that include guidance\n          for the secure storage, transmission, remote access, dissemination/transport, and\n          disposal of sensitive information, including IIF.\n      \xe2\x80\xa2   Confirm that adequate privacy-related controls are in place for systems identified as\n          containing IIF by completing the security checklist provided by the National Institute\n          of Standards and Technology (NIST).7\n      \xe2\x80\xa2   Consolidate the annual privacy awareness and security awareness training modules\n          into a single program to achieve efficiencies.\n      \xe2\x80\xa2   Research methods to ensure that technologies used to collect, use, store, and disclose\n          IIF allow for continuous auditing of compliance with stated privacy policies and\n          practices as required by section 522.\n\nAppendix IV contains a detailed description of the FDIC\xe2\x80\x99s key privacy-related initiatives and\ntheir status as of October 2006.\n\nProtecting IIF is a Government-wide Challenge\n\nSafeguarding IIF from unauthorized disclosure has been, and continues to be, of significant\nconcern to both the public and the Congress. Common threats associated with the\ncompromise of IIF include identity theft and consumer fraud. In response to highly\npublicized breaches of sensitive personal information at federal agencies, the Committee on\nGovernment Reform of the U.S. House of Representatives (the Committee) requested 19\nfederal departments and agencies to provide the Committee with information about incidents\ninvolving the loss or compromise of sensitive personal information (i.e., IIF) held by the\nagency or its contractors.8 The Committee issued a report, dated October 13, 2006, based on\nthe information it received, stating that all 19 departments and agencies had experienced at\nleast 1 loss of IIF since January 1, 2003. The report noted that the majority of these losses\narose from physical thefts of portable computers, drives, and disks, or unauthorized use of\ndata by agency employees. The Committee\xe2\x80\x99s report concluded that, taken as a whole, the\nagencies had identified hundreds of instances of data breaches involving IIF and that each\nincident had affected from one individual to as many as millions of individuals. The\nCommittee\xe2\x80\x99s report emphasizes the criticality of having an effective and comprehensive\nprivacy program.\n\n\n\n\n7\n    OMB\xe2\x80\x99s June 23, 2006 Memorandum M-06-16, Protection of Sensitive Agency Information, recommends that\n    agencies complete the NIST checklist. The memorandum also recommends encryption, authentication, and\n    logging controls for sensitive information.\n8\n    The Committee issued the request, dated July 10, 2006, to all Cabinet-level agencies, the Office of Personnel\n    Management, and the Social Security Administration.\n\n\n\n                                                       I-4\n\x0c RESULTS OF AUDIT\n\n The FDIC has established a corporate-wide privacy program to protect the IIF it manages\n from unauthorized disclosure and ensure its appropriate use consistent with section 522. Of\n particular note, the FDIC has appointed a CPO with overall responsibility for the FDIC\xe2\x80\x99s\n privacy program, issued or drafted corporate policies and procedures for safeguarding IIF,\n and posted a privacy statement on the FDIC\xe2\x80\x99s public Web site. Additionally, the FDIC has\n performed PIAs on its systems identified as containing IIF, completed required Privacy Act-\n related reviews,9 and implemented mandatory Web-based privacy awareness training for its\n employees and contractors. Further, as described in the Background section of this report,\n the FDIC was working to complete a number of key initiatives to strengthen its privacy\n program policies, procedures, and practices and ensure compliance with federal privacy-\n related statutes, policies, and guidelines.\n\n Consistent with the intent of section 522, our report identifies areas of the FDIC\xe2\x80\x99s privacy\n program warranting continued management attention and recommends strategies and specific\n steps that management should take to ensure adequate protection of its IIF. Specifically, the\n FDIC can strengthen its privacy program by integrating its key ongoing and planned program\n control activities into a formal documented plan. In addition, the FDIC needs to (a)\n implement additional control measures to ensure the physical security of its IIF in hardcopy\n format, (b) ensure that PIAs posted on the FDIC\xe2\x80\x99s public Web-site adequately describe the\n FDIC\xe2\x80\x99s collection and use of IIF, and (c) fully address privacy-related considerations in its\n System Development Life Cycle (SDLC)10 processes. Such actions will help ensure that IIF\n managed by the FDIC is adequately protected and that the FDIC\xe2\x80\x99s privacy practices are\n consistent with section 522 and related statutes, policies, and procedures.\n\n STRATEGY FOR ENHANCING CURRENT PRIVACY PROGRAM EFFORTS\n\n Section 522 requires that independent third-party reviews of agency privacy programs\n recommend strategies and specific steps to improve the agencies\xe2\x80\x99 privacy and data protection\n management. As part of this review, we have identified one such strategy that the FDIC can\n implement to strengthen its privacy program management. Although not mandated by statute\n or regulation, the FDIC can enhance its privacy program by documenting a formal,\n comprehensive plan that integrates the Corporation\xe2\x80\x99s privacy program goals and objectives,\n performance measures, organization and relationship of key initiatives, training and\n awareness strategy, and methods for reporting.\n\n The FDIC established a corporate-wide privacy program and was working diligently to\n address current and emerging privacy-related requirements. As discussed in the Background\n section of this report, the FDIC was working on initiatives to identify all FDIC- and\n\n 9\n     OMB Circular No. A-130, Management of Federal Information Resources, Appendix I, Federal Agency\n     Responsibilities for Maintaining Records About Individuals, requires agencies to perform various reviews of\n     compliance with certain provisions of the Privacy Act of 1974. See Appendix II for details.\n10\n     The SDLC is a process for developing information systems through several phases, each comprised of\n     multiple steps.\n\n\n\n                                                        I-5\n\x0ccontractor-maintained IIF throughout the Corporation, develop new privacy policy directives,\nenhance the Corporation\xe2\x80\x99s privacy awareness training, and ensure adequate controls are in\nplace to protect privacy data in applications. The FDIC was also performing a number of\nongoing privacy activities, such as conducting and reporting PIAs, providing awareness\ntraining to employees and contractor personnel, and addressing new OMB privacy\nrequirements. FDIC privacy officials (i.e., the CPO and Privacy Program Manager) were\ncoordinating these initiatives and activities with various internal organizations and corporate\nofficials, such as the FDIC\xe2\x80\x99s CIO Council, Legal Division, and systems owners throughout\nthe Corporation. Also, privacy officials were preparing various privacy-related reports and\nbriefings for FDIC management, OMB, and the Congress.11\n\nAlthough the FDIC developed the IT Strategic Plan 2004 \xe2\x80\x93 2007 and the Information\nSecurity Strategic Plan 2006 \xe2\x80\x93 2007 to help manage its IT and security program activities,\nthese plans do not address privacy activities. The FDIC could enhance its privacy program\nmanagement by integrating its key ongoing and planned program control activities into a\nformal, comprehensive documented plan. Such a plan would promote integration of the\nFDIC\xe2\x80\x99s:12\n\n     \xe2\x80\xa2   Privacy program goals and objectives.\n     \xe2\x80\xa2   Performance measures to assess the extent to which the FDIC is achieving its privacy\n         program goals and objectives.13\n     \xe2\x80\xa2   Privacy program roles and responsibilities.\n     \xe2\x80\xa2   Organization and relationship of key FDIC initiatives that support its privacy program\n         goals and objectives.\n     \xe2\x80\xa2   Training and awareness to foster an improved control environment and a corporate\n         culture that emphasizes the importance of the protection of IIF. Although the FDIC\xe2\x80\x99s\n         efforts to identify its IIF are not yet complete, we observed that additional training\n         and awareness on what IIF is and where it can reside (e.g., in standalone systems,\n         databases, and network shares) would be helpful to system owners responsible for\n         identifying IIF.\n     \xe2\x80\xa2   Methods for reporting privacy program activities and remedial actions.\n\n\n\n\n11\n   Such reporting includes, but is not limited to, the FDIC\xe2\x80\x99s annual privacy reporting required by the Federal\n   Information Security Management Act of 2002 (FISMA), biennial reporting required by section 522, and\n   periodic status reporting to the FDIC Operating Committee, OIG, and others.\n12\n   The FDIC could address some of these items (in whole or in part) in other corporate plans, such as its\n   Corporate Annual Performance Plan, IT Strategic Plan, and Information Security Strategic Plan.\n   Additionally, at the time of our audit, the FDIC was considering the inclusion of two measures in its 2007\n   Corporate Performance Objectives to enhance its privacy program.\n13\n   Developing strategic plans, setting performance goals, and reporting results is a fundamental tenet of the\n   Government Performance and Results Act of 1993 (GPRA). GPRA requires agencies, including the FDIC,\n   to measure how program activities accomplish agency strategic goals and objectives.\n\n                                                      I-6\n\x0cIn May 2006, the AICPA/CICA published a global privacy framework entitled, Generally\nAccepted Privacy Principles (the Framework).14 The principles contained in the Framework\nare based on current international privacy regulatory requirements and industry-accepted\npractices and are designed to be applied to any organization\xe2\x80\x99s privacy program. Although\nthe FDIC is not required to adhere to the Framework, it does contain certain business\npractices that can benefit the FDIC\xe2\x80\x99s privacy program.\n\nFigure 1 identifies five          Figure 1: AICPA/CICA Privacy Framework\nprimary activities associated\nwith managing a privacy\nprogram as defined by the\nFramework. The first             Source: AICPA/CICA Generally Accepted Privacy Principles.\nactivity, Strategizing,\ninvolves the development of an \xe2\x80\x9coverall master plan\xe2\x80\x9d to ensure that the organization\xe2\x80\x99s efforts\nare headed in a common direction. The plan defines, among other things, the strategic\ndirection of the organization\xe2\x80\x99s privacy program, the organization\xe2\x80\x99s long-term goals and major\nissues for becoming privacy-compliant, processes for achieving goals and milestones, and a\nmechanism for communicating critical privacy program information. The remaining four\nactivities in Figure 1 flow from Strategizing.\n\nAs previously discussed, the FDIC has established a corporate-wide privacy program.\nImplementing such a program is a major, multi-year effort requiring sustained coordination\namong divisions and offices throughout the Corporation. Documenting a comprehensive\nplan that integrates key aspects of the Corporation\xe2\x80\x99s privacy program as described above will\nfacilitate the proactive identification of potential program gaps, weaknesses, and\nredundancies. Such a plan could also further facilitate integration of ongoing and planned\nprivacy program activities, help address current and emerging privacy requirements, and\npromote sound program governance.\n\nRecommendation\n\nWe recommend that the FDIC CPO:\n\n       1. Enhance the FDIC\xe2\x80\x99s privacy program by integrating key ongoing and planned\n          program control activities into a formal documented plan.\n\n\n\n\n14\n     Appendix V contains additional information on the Framework. See also\n     http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/.\n\n\n\n                                                      I-7\n\x0cDETAILED AUDIT RESULTS\n\nPHYSICAL SECURITY OF HARDCOPY IIF\n\nRisk Rating: Moderate\n\nCondition\n\nThe FDIC has taken a number of steps to ensure the physical security of hardcopy IIF and IIF\nstored on portable storage media such as compact disks, flash drives, and microfiche. Such\nmeasures included placing lockable file cabinets and secure storage facilities in FDIC\nbuildings, providing employees and contractors with guidance on how to protect sensitive\ninformation through security awareness training, and issuing advisories to employees and\ncontractor personnel through global e-mail messages and the FDIC\xe2\x80\x99s privacy Web site.\nHowever, additional measures are needed. On October 17, 2006, KPMG and OIG staff\nperformed walkthroughs of selected floors in FDIC buildings located in Washington, D.C.;\nArlington, Virginia; and Dallas, Texas, and found 15 separate instances in which significant\namounts of IIF stored in hardcopy format and on portable storage media had not been\nproperly secured.15 Unsecured IIF included employee names, addresses, and SSNs; borrower\nSSNs, borrower loan numbers, court records, and death certificates; and one instance of an\nindividual\xe2\x80\x99s name and credit card number. Generally, the IIF was stored in unlocked file\ncabinets, unsecured file rooms, and boxes placed in hallways and other building common\nareas.\n\nAlthough physical access controls such as security guards and identification badges were in\nplace to restrict building entry to only authorized personnel and visitors, further restrictions\nto ensure the principle of least privilege16 were not in place. We immediately notified the\nFDIC\xe2\x80\x99s Computer Security Incident Response Team of the unsecured IIF that we identified\nduring our walkthroughs and were advised that prompt corrective action was taken to secure\nthe information.\n\nCause\n\nAlthough the FDIC had taken some steps to promote awareness of the need to secure IIF, the\nCorporation was not monitoring employee and contractor compliance with physical IIF\nsecurity requirements. Such monitoring could include, for example, performing periodic\nwalkthroughs of FDIC facilities to determine whether IIF is properly secured. Employees\nand contractor personnel are less likely to leave IIF unsecured if compliance controls are in\nplace. Additionally, the FDIC had not implemented procedures for visibly marking all\ndocuments containing IIF to heighten awareness of the need to protect such information.\n15\n   The OIG reported weaknesses in the FDIC\xe2\x80\x99s physical security of sensitive information, including IIF, in its\n   September 2006 reports entitled, Independent Evaluation of the FDIC\xe2\x80\x99s Information Security Program-2006\n   (Report No. 06-022) and DRR's Protection of Bank Employee and Customer Personally Identifiable\n   Information (Report No. 06-017).\n16\n   Least privilege refers to the concept of restricting access to information resources to the minimum level\n   necessary to perform a specific function (e.g., job duty).\n\n\n\n                                                     I-8\n\x0cFurther, the FDIC had drafted, but not yet issued, a corporate directive defining guidelines\nfor the protection of sensitive electronic and hardcopy information (including IIF), such as\nstoring documents containing sensitive information in locked file drawers when not in use,\nand never leaving portable IT equipment unattended.\n\nAdditional emphasis on employee awareness is warranted until such time as FDIC\ndivisions and offices determine that IIF is being consistently secured throughout the\nCorporation. Such emphasis could be in the form of advisories in the annual privacy\nawareness training, reminders from division and office information security managers,\nand awareness briefings in division and office conferences. Additional considerations\nmay include the implementation of a clean-desk policy and the labeling of sensitive\ndocuments and files, including those containing IIF.\n\nCriteria\n\nThe Privacy Act of 1974 states that agencies shall establish appropriate administrative,\ntechnical, and physical safeguards to ensure the security and confidentiality of records and\nto protect against any anticipated threats or hazards to their security or integrity which\ncould result in substantial harm, embarrassment, inconvenience, or unfairness to any\nindividual about whom information is maintained. The FDIC CPO issued a global e-mail\nmessage on July 26, 2006 directing all employees and contractor personnel to \xe2\x80\x9csecure\nhard copies of PII [i.e., IIF] until they are properly disposed\xe2\x80\xa6safeguard hard copies in\nyour work areas, and shred them when they are not longer needed.\xe2\x80\x9d Subsequent global\ne-mail messages from the CPO reiterated the responsibilities of employees and contractor\npersonnel to secure IIF.\n\nThe FDIC\xe2\x80\x99s security awareness training instructs employees and contractor personnel to\nprotect sensitive data in both electronic and hardcopy formats from disclosure to\nunauthorized individuals or groups. The awareness training states, \xe2\x80\x9cLeaving diskettes and\nCD's lying around is tantamount to leaving your computer turned on without a password-\nprotected screen saver. They are easily taken and used by anyone with access to a\ncomputer. If you have important and/or confidential information on a diskette or CD, take\ncare to store it properly in a locked drawer.\xe2\x80\x9d Further, the FDIC\xe2\x80\x99s internal Web site,\nProtecting Sensitive Information, states, \xe2\x80\x9cwhenever sensitive information is stored on\nportable media or printed out in hard copy, such information should be kept secure and in\na locked file cabinet when appropriate.\xe2\x80\x9d\n\nEffect\n\nAbsent appropriate measures to ensure that IIF is properly secured in FDIC facilities, the\nFDIC is at increased risk of a potential unauthorized disclosure or compromise of IIF.\nSuch a compromise could result in individual identity theft and unnecessary costs to the\nCorporation resulting from remediation efforts (such as notifications to affected\nindividuals and potential credit monitoring services). In addition, unauthorized access to,\nand use of, IIF poses considerable risk to the FDIC\xe2\x80\x99s reputation, as well as to the\nindividuals whose data is not protected.\n\n\n                                             I-9\n\x0cRecommendations\n\nWe recommend the FDIC CPO:\n\n     2. Implement additional control measures to ensure IIF is properly secured. Such\n        measures could include marking documents containing IIF and performing\n        periodic, unannounced walkthroughs of FDIC facilities and reporting the results to\n        appropriate management officials.\n\n     3. Place additional emphasis on employee and contractor awareness to physically\n        safeguard IIF in their custody as previously discussed in this report.\n\n\nPUBLIC DISCLOSURE OF IIF USAGE\n\nRisk Rating: Moderate\n\nCondition\n\nThe FDIC has established a formal process for conducting PIAs17 of its applications and\nsystems that contain IIF and posted PIAs on its public Web site. However, PIAs posted\non the FDIC\xe2\x80\x99s public Web site did not always contain sufficient information regarding the\ncollection or use of IIF as described in OMB policy and section 208 of the E-Government\nAct of 2002. We judgmentally selected 15 of the 43 PIAs posted on the FDIC\xe2\x80\x99s public\nWeb site as of October 27, 2006 and found that 6 of the 15 PIAs did not disclose all types\nof IIF collected and/or stored by the application.18 In addition, 3 of the 15 PIAs that we\nreviewed did not adequately describe how or why the IIF contained in the application was\nbeing used. PIAs for these three applications provided a general description of the\napplication rather than a description of the intended use of each type of IIF collected or\nstored.\n\n\n\n\n17\n   The purpose of a PIA is to analyze and publicly disclose how personal information is collected, used, stored,\n   shared, and protected by government agencies.\n18\n   Of the six PIAs, two did not disclose any types of IIF collected by the application. The remaining four PIAs\n   did not disclose at least one type of IIF (e.g., date of birth, home telephone number, or bank account\n   number) collected by the application.\n\n\n\n                                                     I-10\n\x0cCause                                                         Figure 2: The FDIC\xe2\x80\x99s PIA Process\n                                                              Source: KPMG Analysis.\nAs reflected in Figure 2, the FDIC\xe2\x80\x99s PIA process\nconsists of three key documents: (1) a formal PIA\nProcedures document containing detailed instructions\nand examples to assist division and office personnel in\nconducting PIAs, (2) a PII Questionnaire to aid FDIC\npersonnel in identifying IIF, and (3) a PIA Template to\ndocument the results of PIA work and later post to the\nFDIC\xe2\x80\x99s public Web site. Because questions in the PIA\nTemplate are more general than the PIA Procedures\ndocument and PII Questionnaire, the PIA Template did\nnot always ensure that individuals responsible for\ncompleting PIAs provided specific information\nregarding IIF collection and use. As a result, PIAs\nposted on the FDIC\xe2\x80\x99s public Web site did not always\ninclude prescribed privacy-related information that\ndetailed the type of information collected, the reason(s)\nwhy the information was collected, and the intended use\nof the information.\n\nOn October 31, 2006, a DIT official informed us that\nefforts were underway to combine the PIA Template and\nPII Questionnaire into a single document. Such\nstreamlining should improve the efficiency of the\nFDIC\xe2\x80\x99s PIA process and provide additional assurance\nthat PIAs posted on the FDIC\xe2\x80\x99s public Web site are\nconsistent with privacy-related requirements. The FDIC\nshould also consider additional reviews of PIA content by appropriate officials prior to\npublic posting of PIAs to ensure they sufficiently address IIF collection and use.\n\nCriteria\n\nIn general, Section 208 of the E-Government Act of 2002 requires agencies to conduct\nPIAs of all information systems containing IIF and make the completed PIAs available to\nthe public. The Act requires that published PIAs describe, among other things, what\ninformation is to be collected, why the information is being collected, and the agency\xe2\x80\x99s\nintended use of the information. OMB Memorandum M-03-22, OMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act, provides details on the\nrequired content of PIAs. Among other things, the OMB memorandum states that PIAs\nmust analyze and describe the type of information to be collected (e.g., nature and source);\nwhy the information is being collected (e.g., to determine eligibility); and the intended use\nof the information (e.g., to verify existing data).\n\n\n\n\n                                             I-11\n\x0cEffect\n\nPIAs are intended to promote the public trust through increased transparency and\nassurances that personal information is protected. Absent full disclosure of this\ninformation, the Corporation\xe2\x80\x99s use of IIF may not be clearly understood by the public\nthrough reviews of published PIAs.\n\nRecommendations\n\nWe recommend that the FDIC CPO:\n\n     4. Review all PIAs posted on the FDIC\xe2\x80\x99s public Web site to determine whether they\n        disclose all types of IIF used by the application and sufficiently describe the\n        FDIC\xe2\x80\x99s use of IIF consistent with OMB policy and section 208 of the\n        E-Government Act of 2002.\n\n     5. Enhance current processes for preparing and publicly posting PIAs to ensure that\n        new PIAs adequately describe the FDIC\xe2\x80\x99s collection and use of IIF consistent with\n        OMB policy and section 208 of the E-Government Act of 2002.\n\nPRIVACY CONSIDERATIONS IN THE SDLC\n\nRisk Rating: Low\n\nCondition\n\nThe FDIC adopted the Rational Unified Process (RUP\xc2\xae)19 SDLC methodology in 2004\nand tailored the RUP\xc2\xae to meet the specific needs of the Corporation. Of particular note,\nthe FDIC tailored the RUP\xc2\xae to address information security requirements applicable to\neach phase of the SDLC and describe the roles of key corporate committees and personnel\ninvolved in the SDLC.20 One such requirement includes the completion of an ASA that\nincludes steps for identifying IIF in systems under development.21 However, the FDIC\xe2\x80\x99s\nSDLC processes do not fully address privacy considerations. Such privacy considerations\ninclude, for example, the role of privacy officials, such as the CPO and Privacy Program\nManager, in the development, maintenance, and disposal of information systems. Privacy\nconsiderations also include ensuring that IIF protection needs are addressed throughout a\nsystem\xe2\x80\x99s life cycle.22 Addressing such privacy considerations during the SDLC will\n\n19\n   RUP\xc2\xae is an iterative and risk-based methodology for developing information systems. RUP\xc2\xae is a registered\n   trademark of Rational Software Corporation, a wholly-owned subsidiary of the International Business\n   Machines (IBM\xc2\xae) Corporation.\n20\n   Such committees and personnel include the Capital Investment Review Committee, CIO Council, Enterprise\n   Architecture Board, Program Management Office, and DIT Information Security Staff.\n21\n   In the event the ASA identifies the presence of IIF, completion of a PIA for the system is required.\n22\n   Such protection needs are dynamic because privacy requirements and risks change over time. Examples\n   include encrypting IIF stored in databases, suppressing IIF data when printed on paper, and generating audit\n   trails of IIF data downloads.\n\n\n\n                                                     I-12\n\x0cprovide the FDIC with greater assurance that privacy requirements are identified and\naddressed in an efficient and timely manner during systems development and\nimplementation.\n\nCause\n\nA number of new privacy-related requirements have been imposed on federal agencies in\nrecent years in response to reports of security breaches involving IIF. Such privacy\nrequirements include security control and reporting provisions contained in section 522\nand privacy safeguards described in OMB policy memoranda. As discussed in the\nBackground section of this report, the FDIC was working to implement a number of key\ninitiatives aimed at addressing new and emerging privacy requirements. Because the\nFDIC\xe2\x80\x99s privacy program is relatively new and evolving, the Corporation had not yet fully\naddressed privacy considerations in its SDLC processes.\n\nWe spoke with DIT personnel and FDIC privacy officials about the importance of privacy\nconsiderations in the SDLC. A DIT official informed us that FDIC system developers use\nan electronic requirements template as part of the FDIC\xe2\x80\x99s SDLC processes. The template\ncontains requirements, such as NIST-recommended security controls and standards for\ncomplying with section 508 of the Rehabilitation Act,23 that developers consider when\ndeveloping systems. The DIT official indicated that privacy considerations could be\nadded to the requirements template to ensure that privacy is adequately considered in the\nSDLC process. We agree that modifying the requirements template would be a prudent\nstep toward addressing privacy in the FDIC\xe2\x80\x99s SDLC processes.\n\nCriteria\n\nThe SDLC is a key control for ensuring that security and privacy are integrated into the\nlife-cycle planning and management of information systems. NIST Special Publication\n(SP) 800-64, Security Considerations in the Information Systems Development Life Cycle,\ndescribes key roles and responsibilities associated with information systems development,\nincluding the role of the privacy officer. According to the publication, privacy officers\nand other officials play a critical role in ensuring that systems meet existing privacy\npolicies regarding protection, dissemination (information sharing and exchange), and\ninformation disclosure. In addition, NIST SP 800-64 states that the process of identifying\nfunctional requirements should include an analysis of relevant laws and regulations,\nincluding the Privacy Act of 1974. Although the FDIC is not required to comply with\nNIST SP 800-64, it contains prudent business practices related to privacy that the FDIC\nshould voluntarily adopt.\n\n\n\n23\n     Section 508 requires federal agencies that develop, procure, maintain, or use electronic and IT systems to\n     ensure that federal employees and members of the public with disabilities have access to and use of\n     information and data, comparable to that of the employees and members of the public without disabilities,\n     unless it is an undue burden to do so. The FDIC has determined that it is not legally bound to follow section\n     508 but does so as a matter of policy.\n\n\n\n                                                        I-13\n\x0cEffect\n\nAccording to NIST SP 800-64, information security is most effective when it is integrated\ninto the SDLC methodology from its inception. Industry research has shown that\naddressing IT requirements early in a system\xe2\x80\x99s life-cycle development is less costly than if\nthe requirements are addressed in later life-cycle phases. Ensuring that privacy\nconsiderations are fully addressed in the FDIC\xe2\x80\x99s SDLC processes will promote a defined\nand repeatable approach for incorporating privacy controls into new systems and provide\nFDIC management greater assurance that privacy requirements are identified and\naddressed in an efficient and effective manner. Such efforts will also help ensure that the\nconfidentiality and integrity of IIF are maintained.\n\nRecommendation\n\nWe recommend that the FDIC CPO:\n\n    6. Enhance the FDIC\xe2\x80\x99s SDLC processes to fully address privacy considerations.\n\n\n\n\n                                            I-14\n\x0c                                                                          APPENDIX I\n\n\n\n                  OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to (1) evaluate the FDIC\xe2\x80\x99s use of IIF and the FDIC\xe2\x80\x99s\nprivacy and data protection procedures and (2) recommend strategies and specific steps to\nimprove the FDIC\xe2\x80\x99s privacy and data protection management practices. KPMG\nconducted its performance audit in accordance with GAGAS issued by the Comptroller\nGeneral of the United States. Those standards require that we (i.e., KPMG) plan and\nperform the audit to obtain sufficient, appropriate evidence that provides a reasonable\nbasis for our findings and conclusions based on our audit objectives.\n\nTo accomplish the audit objective, KPMG leveraged prior audit work as described in the\nOIG\xe2\x80\x99s September 2006 reports entitled, The FDIC\xe2\x80\x99s Efforts to Comply with OMB\nMemorandum M-06-16, Protection of Sensitive Agency Information (Report No. 06-020);\nand Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2006\nReporting Instructions for FISMA and Agency Privacy Management (Report\nNo. 06-018). Also, KPMG interviewed key FDIC privacy, security, and program office\nofficials who had responsibility for implementing the FDIC\xe2\x80\x99s privacy program and\ncomplying with the requirements described in section 522 and OMB Memorandum\nM-06-16. KPMG reviewed relevant security- and privacy-related policies, procedures,\nand guidelines that address the control measures described in section 522. In addition,\nKPMG reviewed the FDIC\xe2\x80\x99s established procedures and guidance for performing PIAs\nand sampled a selection of publicly-posted PIAs for compliance with section 208 of the\nE-Government Act of 2002. Further, KPMG selected a sample of information systems to\nassess the progress of the FDIC\xe2\x80\x99s efforts to identify applications containing IIF. KPMG\ninterviewed the business owners of the selected information systems to become familiar\nwith processes used to identify IIF. KPMG also reviewed the FDIC\xe2\x80\x99s Web sites and\nIntranet and leveraged scans of the FDIC\xe2\x80\x99s network performed as part of the FISMA\naudit efforts to identify the presence of IIF. To evaluate physical protections over IIF,\nKPMG and the OIG performed walkthroughs of three FDIC facilities in Washington,\nD.C.; Arlington, Virginia; and Dallas, Texas.\n\nKPMG did not evaluate program performance measures. In addition, KPMG did not\nperform procedures to determine the validity or reliability of computer-based data\nbecause such procedures were not critical to satisfying the audit\xe2\x80\x99s objectives. KPMG\nconducted alternative procedures to determine the presence of IIF data and the status of\nprivacy initiatives, such as interviews of application owners. In addition, KPMG\xe2\x80\x99s\nassessments of the FDIC\xe2\x80\x99s management controls and compliance with laws and\nregulations were limited to those related to privacy, particularly those dealing with\nagency privacy-management requirements. Further, KPMG did not design tests to detect\nfraud, waste, abuse, and mismanagement. However, throughout the audit, KPMG was\nsensitive to the potential for fraud, waste, abuse, and mismanagement. KPMG conducted\nits work at the FDIC\xe2\x80\x99s offices in Arlington, Virginia; and Washington, D.C., during\nOctober 2006. The FDIC OIG performed certain other audit procedures at the FDIC\xe2\x80\x99s\noffices in Dallas, Texas.\n\n\n\n                                          I-15\n\x0c                                                                                  APPENDIX II\n\n\n       LAWS, STANDARDS, POLICIES, AND GUIDELINES PROTECTING\n           PRIVACY-RELATED AND SENSITIVE INFORMATION\n\nIn addition to requirements in section 522 of the Consolidated Appropriations Act, 2005, a\nnumber of federal statutes, standards, policies, and guidelines are aimed at protecting IIF\nfrom unauthorized use, access, disclosure, or sharing and associated information systems\nfrom unauthorized access, modification, disruption, or destruction. Brief descriptions of key\nprivacy-related statutes, policies, and guidelines and their applicability to the FDIC follow.\n\n\xe2\x80\xa2   The Privacy Act of 1974 imposes various requirements for federal agencies whenever\n    they collect, create, maintain, and distribute records (as defined in the Act, and\n    regardless of whether they are in hardcopy or electronic format) that can be retrieved by\n    the name of an individual or other identifier. One such requirement is to establish\n    appropriate administrative, technical, and physical safeguards to ensure the security and\n    confidentiality of records and to protect against any anticipated threats or hazards to their\n    security or integrity which could result in substantial harm, embarrassment,\n    inconvenience, or unfairness to any individual about whom information is maintained.\n    As a federal agency, the FDIC is subject to the requirements of the Act. The Act can be\n    located at http://www.usdoj.gov/oip/privstat.htm.\n\n\xe2\x80\xa2   The E-Government Act of 2002, section 208, requires agencies to (1) conduct PIAs of\n    information systems and collections and, in general, make PIAs publicly available;\n    (2) post privacy policies on agency Web sites used by the public; (3) translate privacy\n    policies into a machine-readable format; and (4) report annually to the OMB on\n    compliance with section 208. The FDIC has determined that it is subject to the\n    requirements of this provision. The Act can be located at\n    http://www.cio.gov/archive/e_gov_act_2002.pdf.\n\n\xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS PUB) 199, Standards\n    for Security Categorization of Federal Information and Information Systems,\n    describes standards to be used by all federal agencies to categorize all information and\n    information systems collected or maintained by or on behalf of each agency based on the\n    objectives of providing appropriate levels of information security according to a range of\n    impact levels. This publication establishes security categorization standards for\n    information and information systems based on the potential impact on an organization\n    should certain events occur that jeopardize the information and information systems\n    needed by the organization to accomplish its mission, protect its assets, fulfill its legal\n    responsibilities, maintain its day-to-day functions, and protect individuals. By its terms,\n    this publication is not legally binding on the FDIC, but the FDIC intends to follow its\n    principles. The publication can be located at http://csrc.nist.gov/publications/fips/fips199/FIPS-\n    PUB-199-final.pdf.\n\n\xe2\x80\xa2   NIST SP 800-64, Security Considerations in the Information Systems Development\n    Life Cycle, provides a framework for incorporating security into all phases of the\n    information SDLC process, from initiation to disposal. Included within the framework\n    are requirements to consider privacy protection measures in accordance with relevant\n    privacy-related federal guidance. The provisions of this publication are non-mandatory.\n\n\n                                                I-16\n\x0c                                                                                  APPENDIX II\n\n    The publication can be located at http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-\n    64.pdf.\n\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems,\n    provides a foundation for the development of an effective risk management program,\n    containing both the definitions and the practical guidance necessary for assessing and\n    mitigating risks identified within IT systems. The publication also provides information\n    on the selection of cost-effective security controls. Such controls can be used to mitigate\n    risk for the better protection of mission-critical information and the IT systems that\n    process, store, and carry this information. The publication can be located at\n    http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.\n\n\xe2\x80\xa2   OMB Circular No. A-130, Management of Federal Information Resources,\n    Appendix I, Federal Agency Responsibilities for Maintaining Records about\n    Individuals, describes agency responsibilities for implementing the reporting and\n    publication requirements of the Privacy Act of 1974. The FDIC has determined that\n    OMB Circular No. A-130, Appendix I, applies to the Corporation. Subsequent OMB\n    policy provides additional information regarding agency responsibilities for designating\n    a senior agency official for privacy, conducting PIAs, developing privacy policies for\n    Web sites, providing privacy education to employees and contractor personnel, and\n    reporting privacy activities. The circular can be located at\n    http://www.whitehouse.gov/omb/circulars/a130/a130trans4.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-03-18, Implementation for the E-Government Act of 2002,\n    provides agencies information on implementing the E-Government Act of 2002. The\n    guidance (1) outlines federal agency requirements related to the E-Government Act of\n    2002; (2) explains the information agencies are expected to provide under the\n    E-Government Act of 2002 to support ongoing initiatives and new activities, including\n    reports; (3) explains how the E-Government Act of 2002 authorizes certain ongoing\n    government-wide initiatives; and (4) explains how the E-Government Act of 2002 fits\n    within existing IT policy, such as policies included in OMB Circulars A-11,\n    Preparation, Submission, and Execution of the Budget; and A-130, Management of\n    Federal Information Resources. According to the FDIC, to the extent that the provisions\n    of OMB Memorandum M-03-18 are legally binding on the FDIC, the FDIC has taken\n    steps to implement those provisions or has otherwise taken them into account. The\n    memorandum can be located at http://www.whitehouse.gov/omb/memoranda/m03-18.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy\n    Provisions of the E-Government Act of 2002, provides information to agencies on\n    implementing the privacy provisions of the E-Government Act of 2002, particularly\n    section 208. The guidance directs agencies, including the FDIC, to conduct reviews of\n    how IT is used to collect information about individuals or when agencies develop or buy\n    new IT systems to handle collections of IIF, the definition of which appears in footnote 2\n    of this report. OMB\xe2\x80\x99s definition implements the E-Government Act\xe2\x80\x99s definition of\n    \xe2\x80\x9cidentifiable form,\xe2\x80\x9d namely, \xe2\x80\x9cany representation of information that permits the identity\n    of an individual to whom the information applies to be inferred by either direct or\n    indirect means.\xe2\x80\x9d Section 522 incorporates this statutory definition. We believe that\n\n\n                                                I-17\n\x0c                                                                           APPENDIX II\n\n    using OMB\xe2\x80\x99s definition of IIF is appropriate in connection with section 522 because,\n    according to section 522, its definition of \xe2\x80\x9cidentifiable form\xe2\x80\x9d is consistent with the\n    E-Government Act\xe2\x80\x99s definition of the term. This memorandum replaces OMB\n    memoranda 99-18, Privacy Policies on Federal Web Sites; and 00-13, Privacy Policies\n    and Data Collection on Federal Web Sites. The memorandum can be located at\n    http://www.whitehouse.gov/omb/memoranda/m03-22.html.\n\n\xe2\x80\xa2   OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy,\n    requests that agencies designate a senior official for privacy. The FDIC complied with\n    the memorandum by designating the CIO as the senior agency official. The\n    memorandum can be located at http://www.whitehouse.gov/omb/memoranda/fy2005/m05-08.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information,\n    describes responsibilities and policy for appropriately safeguarding sensitive PII and for\n    training employees on their responsibilities in this area. OMB requires the senior agency\n    official for privacy to conduct a review of policies and processes and take corrective\n    action as appropriate to ensure adequate safeguards exist to prevent misuse or authorized\n    access to PII. Any weaknesses are to be identified in a security plan of action and\n    milestones required by FISMA. According to the FDIC, to the extent that the provisions\n    of OMB Memorandum M-06-15 are legally binding on the FDIC, the FDIC has taken\n    steps to implement those provisions or has otherwise taken them into account. The\n    memorandum can be located at http://www.whitehouse.gov/omb/memoranda/fy2006/m-06-15.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-06-16, Protection of Sensitive Agency Information, includes a\n    checklist for agency use for protecting PII that is remotely accessed or transported\n    outside the agency. The checklist is based on NIST SPs 800-53, Recommended Security\n    Controls for Federal Information Systems; and 800-53A, Guide for Assessing the\n    Security Controls in Federal Information Systems (Second Public Draft). In addition,\n    M-06-16 recommends the encryption of all data on mobile computers/devices that carry\n    sensitive data, two-factor authentication for remote access, \xe2\x80\x9ctime-out\xe2\x80\x9d functions for\n    remote access and mobile devices, and the logging of all computer-readable data extracts\n    from databases containing sensitive information. According to the FDIC, to the extent\n    that the provisions of OMB Memorandum M-06-16 are legally binding on the FDIC, the\n    FDIC has taken steps to implement those provisions or has otherwise taken them into\n    account. The memorandum can be located at\n    http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable\n    Information and Incorporating the Cost for Security in Agency Information\n    Technology Investments, provides updated guidance on the reporting of security\n    incidents involving PII and explains the requirements agencies will need to address\n    regarding security and privacy in fiscal year 2008 budget submissions for IT. This\n    guidance requires all agencies to report all suspected or confirmed breaches involving\n    PII in an electronic or physical form within 1 hour of discovering the incident to U.S.\n    Center Emergency Readiness Team, a federal incident response center located within the\n    Department of Homeland Security. According to the FDIC, to the extent that the\n    provisions of OMB Memorandum M-06-19 are legally binding on the FDIC, the FDIC\n\n\n                                             I-18\n\x0c                                                                                APPENDIX II\n\n    has taken steps to implement those provisions or has otherwise taken them into account.\n    The memorandum can be located at http://www.whitehouse.gov/omb/memoranda/fy2006/m06-\n    19.pdf.\n\n\xe2\x80\xa2   OMB Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal\n    Information Security Management Act and Agency Privacy Management, directs\n    senior agency officials for privacy to answer a series of questions about their agency\xe2\x80\x99s\n    privacy programs. These questions are based, in part, on agency implementation of the\n    privacy provisions of the E-Government Act of 2002. In addition, the memorandum\n    requires the agency officials to report on the results of privacy program reviews and\n    identify physical or electronic incidents involving the loss of or unauthorized access to\n    IIF. The memorandum also requests that agency IGs provide information about their\n    agency\xe2\x80\x99s privacy program and related activities, as appropriate, and provide a list of any\n    systems not included in the agency\xe2\x80\x99s inventory of major information systems. The\n    FDIC\xe2\x80\x99s practice is to comply with OMB\xe2\x80\x99s reporting guidance. The memorandum can be\n    located at http://www.whitehouse.gov/omb/memoranda/fy2006/m06-20.pdf.\n\n\xe2\x80\xa2   OMB Memorandum, Recommendations for Identity Theft Related Data Breach\n    Notification, recommends agencies establish a core management group responsible for\n    responding to the loss of personal information that poses the subsequent risk of identity\n    theft. The group is to plan for contingencies in the event of a breach, evaluate the risk of\n    identity theft associated with realized data losses, and take appropriate actions based on\n    the determined risk. The FDIC considers this memorandum a background discussion\n    paper that provides recommendations for agencies for planning and responding to data\n    breaches. The memorandum can be located at\n    http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf.\n\n\xe2\x80\xa2   FDIC Rules and Regulations. Part 309, Disclosure of Information, sets forth the basic\n    policies of the FDIC regarding the information it maintains and the procedures for\n    obtaining access to such information. Part 310, Privacy Act Regulations, establishes\n    regulations implementing the Privacy Act of 1974 by delineating the procedures that an\n    individual must follow in exercising his or her access or amendment rights under the\n    Privacy Act of 1974 to records maintained by the Corporation in systems of record.\n    FDIC Rules and Regulations Part 309 can be located at\n    http://www.fdic.gov/regulations/laws/rules/2000-3800.html. FDIC Rules and Regulations Part\n    310 can be located at http://www.fdic.gov/regulations/laws/rules/2000-3900.html.\n\n\xe2\x80\xa2   FDIC Circular 1031.1, Administration of the Privacy Act, establishes requirements for\n    the collection, maintenance, use, and dissemination of records subject to the Privacy Act\n    of 1974.\n\n\xe2\x80\xa2   Division of Information Technology IT Policy Memorandum, Cookies in Internet\n    Products, establishes the policy and standard for the use of cookies in Internet, FDICnet,\n    and extranet-type products developed or deployed by the FDIC.\n\n\n\n\n                                             I-19\n\x0c                                                                            APPENDIX III\n\n\n\n                                     RISK RATINGS\n\nBased on our experience and knowledge of industry practices, we assessed the risk\nassociated with each control weakness described in the report and assigned a risk rating\nof High, Moderate, or Low. We based each risk rating on an analysis of our underlying\naudit work, and each rating required professional judgment as to the relative risk and\nsignificance of control strengths and weaknesses. We based our assessments of risk, in\npart, on concepts defined in FIPS PUB 199, Standards for Security Categorization of\nFederal Information and Information Systems, and risk definitions contained in NIST SP\n800-30, Risk Management Guide for Information Technology Systems.\n\nA High Risk rating indicates a condition that could directly result in unauthorized access\nto internal networks or systems, a severe loss of data integrity, or a severe loss of system\navailability. NIST SP 800-30 describes a risk as \xe2\x80\x9cHigh\xe2\x80\x9d if \xe2\x80\x9cthere is a strong need for\ncorrective measures. An existing system may continue to operate, but a corrective action\nplan must be put in place as soon as possible.\xe2\x80\x9d\n\nA Moderate Risk rating is a condition that alone would not result in unauthorized access\nbut does provide significant capability or information that could be directly used in\nconjunction with other information or tools to gain unauthorized access to internal\nsystems. In regard to the security control objectives of integrity and availability, a\nmoderate risk condition represents a condition that may have a serious adverse affect on\ndata integrity or a serious loss of system availability. NIST SP 800-30 states that if a\nmoderate risk is observed, then corrective actions are needed, and a plan must be\ndeveloped to incorporate these actions within a reasonable period of time.\n\nA Low Risk rating is a condition that does not directly lead to compromise of internal\nsystems but demonstrates an incomplete approach to security. In regard to the security\ncontrol objectives of integrity and availability, a low-risk condition represents a condition\nthat may have a limited adverse affect on data integrity or a limited loss of system\navailability. NIST SP 800-30 characterizes a risk as \xe2\x80\x9cLow\xe2\x80\x9d if, \xe2\x80\x9cThe system\xe2\x80\x99s Designated\nApproving Authority must determine whether corrective actions are still required or\ndecide to accept the risk.\xe2\x80\x9d\n\n\n\n\n                                            I-20\n\x0c                                                                                       APPENDIX IV\n\n\n\n                        FDIC PRIVACY PROGRAM INITIATIVES\n\nPrivacy Area                  Initiative                         Status of Initiative as of October 20, 2006\nPrivacy        1. Increase privacy program staffing.       1. Ongoing.\nGovernance/    2. Develop a corporate-wide policy to       2. A corporate-wide policy to address the requirements\nPolicy            address the protection of sensitive         of the protection of sensitive information has been\n                  agency information, including IIF,          drafted but not yet issued. Interim policy in the\n                  and recent OMB requirements.                form of global e-mails and divisional guidance has\n               3. Research options to implement               been communicated.\n                  continuous monitoring of                 3. A group has been formed to research options to\n                  technologies used to collect, store,        allow for continuous monitoring. Software solutions\n                  process, and disseminate IIF.               are under evaluation.\n\nPrivacy Web    Develop and update a Web site devoted       A Privacy Program Web site is established and is\nsite           to privacy issues.                          periodically updated (www.fdic.gov/about/privacy).\nPrivacy        1. Combine the security awareness and       1. Storyboards (i.e., outlines) for combining the\nTraining          privacy awareness modules.                  modules have been developed and are currently\n               2. Develop classroom privacy training.         under review. Completion of work is planned for\n                                                              March 2007.\n                                                           2. Coordination is planned with the Corporate\n                                                              University regarding classroom privacy training.\n\nPrivacy        Update the FDIC\xe2\x80\x99s incident reporting        Incident reporting procedures have been updated to\nAwareness      and response procedures to reflect the      reflect the 1-hour reporting requirement.\n               1-hour reporting requirement contained\n               in OMB Memorandum M-06-19.\n\n\nPrivacy        A PIA will be prepared for each             As of October 3, 2006, 43 PIAs had been performed for\nImpact         information system containing personal      the 46 systems identified as containing IIF and posted\nAssessments    information (i.e., IIF).                    on the Privacy Web site. As discussed in the report,\n                                                           work is ongoing to identify all IIF maintained\n                                                           throughout the Corporation.\nPrivacy        1. FISMA Privacy Reporting.                 1. The 2006 FISMA privacy report was issued on\nReporting      2. Section 522 Privacy Reporting.              September 28, 2006.\n               3. Monthly privacy program status           2. The memorandum on the FDIC\xe2\x80\x99s privacy program\n                  reports.                                    was sent to the Deputy Inspector General on\n                                                              September 15, 2005; a report to the Congress is\n                                                              planned by the end of 2006.\n                                                           3. Monthly privacy program status reports have been\n                                                              produced since July 2006.\nCompliance     1. Encrypt sensitive data stored on         1. Current testing and implementation schedules\nwith OMB          mobile computing devices.                   suggest that data on laptops will be encrypted by\nMemorandum     2. Provide tokens to state bank                December 2006. Encryption of external storage\nM-06-16           examiners for remote authentication.        media and Blackberry devices will follow in\n               3. Finalize policy and implement               February 2007.\n                  software solution to log data extracts   2. Legal issues associated with providing tokens to\n                  of sensitive data.                          state bank examiners are under review. Target\n                                                              completion is March 2007.\n                                                           3. Draft policy is under review, and the FDIC is\n                                                              evaluating several software solutions to log data\n                                                              extracts.\n\n\n\n\n                                                   I-21\n\x0c                                                                                         APPENDIX V\n\n\n                  AICPA/CICA PRIVACY FRAMEWORK CONCEPTS\n\nThe figure below highlights privacy program management concepts contained in the\nAICPA/CICA\xe2\x80\x99s global privacy framework entitled, Generally Accepted Privacy\nPrinciples. Other privacy frameworks exist; the AICPA/CICA\xe2\x80\x99s Framework is just one\nexample for consideration.\n\n\n\n\n Strategizing         Diagnosing          Implementing            Sustaining                 Auditing\n\n  Business Risk       Policy               Business Process      Business Process          Control Self-\n    Analysis            Development          Redesign              Change                    Assessment\n                                                                                           \xe2\x88\x92 Monitor\n  Privacy Strategy    Business             Human Resources       Information System          Performance\n                        Processes          \xe2\x88\x92 Communication          Modification to          Measures\n                        Analysis           \xe2\x88\x92 Training               Security               \xe2\x88\x92 Track Privacy\n                      \xe2\x88\x92 As-Is and To-Be                             Architecture             Issues and\n                        Evaluation         Information System                                Remediation\n                                              Modification to    Public Notice               Efforts\n                      Planned Controls        Security           \xe2\x88\x92 Policy Notification\n                      \xe2\x88\x92 Compliance            Architecture and   \xe2\x88\x92 PIA Publication         Compliance\n                      \xe2\x88\x92 Information           SDLC Process       \xe2\x88\x92 FOIA*                     Audits\n                        Management                                 Management              \xe2\x88\x92 Section 522\n                                           Functional Changes                              \xe2\x88\x92 FISMA\n                      \xe2\x88\x92 Risk Management\n                                           \xe2\x88\x92 To Business         Compliance\n                                             Processes           \xe2\x88\x92 Awareness               Environmental\n                                             Regarding Use\n                                             and Collection of   \xe2\x88\x92 Training                  Updates\n                                                                 \xe2\x88\x92 Regulatory              \xe2\x88\x92 Legislation\n                                             IIF\n                                                                   Reporting               \xe2\x88\x92 Regulations\n                                                                 \xe2\x88\x92 Legal                   \xe2\x88\x92 Public\n                                                                 \xe2\x88\x92 Third Party               Expectations\n                                                                   Contracts\n\n  Continuous\n                       Gap analysis        Gap analysis          Gap analysis              Gap analysis\n  Monitoring\n\n\nNote: KPMG has expanded upon the AICPA/CICA\xe2\x80\x99S Framework to incorporate applicable federal laws,\nregulations, and business processes specific to U.S. federal agencies.\n* Freedom of Information Act.\n.\n\n\n\n\n                                              I-22\n\x0c                Part II\n\nCorporation Comments and OIG Evaluation\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nThe report contains six recommendations directed to the CPO. On January 4, 2007, the\nCPO provided a written response to a draft of this report, dated December 11, 2006. The\nCPO\xe2\x80\x99s response is presented, in its entirety, beginning on page II-4. The CPO concurred\nwith all six of the report\xe2\x80\x99s recommendations. Based on the CPO\xe2\x80\x99s response, all six\nrecommendations are considered resolved, but they will remain open until we have\ndetermined that agreed-to corrective actions have been completed and are effective. The\nCPO\xe2\x80\x99s response to each of the report\xe2\x80\x99s recommendations is summarized below, along\nwith our evaluation of the response.\n\nRecommendation 1: Enhance the FDIC\xe2\x80\x99s privacy program by integrating key\nongoing and planned program control activities into a formally documented plan.\n\nCPO Response: The CPO concurred with the recommendation. The CPO will enhance\nthe existing program plan to formally document and describe the Corporation\xe2\x80\x99s privacy\nprogram goals and objectives, performance measures, organization and relationships of\nkey initiatives, training and awareness strategy, and methods for reporting by\nDecember 15, 2007.\n\nOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\nRecommendation 2: Implement additional measures to ensure IIF is properly\nsecured. Such measures could include performing periodic, unannounced\nwalkthroughs of FDIC facilities and reporting the results to appropriate\nmanagement officials.\n\nCPO Response: The CPO concurred with the recommendation. The CPO will discuss\nappropriate, additional control measures for securing IIF with the CIO Council by\nApril 15, 2007. A plan for implementing these measures will be completed by July 15,\n2007. The plan will identify the date for final implementation of the measures.\n\nOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\nRecommendation 3: Place additional emphasis on employee and contractor\nawareness to physically safeguard IIF in their custody as previously discussed in\nthis report.\n\nCPO Response: The CPO concurred with the recommendation. The CPO recognizes\nthe importance of employee and contractor privacy awareness and has taken actions to\naddress this need at the FDIC. Such actions include privacy awareness training, Web site\n\n\n\n\n                                       II-1\n\x0cmaterials, conference presentations among FDIC divisions and offices, and the\npromulgation of privacy policies and procedures. In addition, the CPO stated that\nDivision of Resolutions and Receiverships (DRR) staff in Washington D.C., and DRR\nand Division of Supervision and Consumer Protection (DSC) staff in Dallas have\nreceived business-unit-specific privacy training. However, the CPO agreed to take\nseveral additional actions to further emphasize employee and contractor awareness\nregarding the physical safeguarding of IIF in their custody by November 30, 2007. Such\nactions include placing additional emphasis on physically safeguarding IIF during CIO\nCouncil meetings and Information Security Manager (ISM) meetings, including an item\nin the FDIC newsletter, and working with the FDIC\xe2\x80\x99s Office of Enterprise Risk\nManagement (OERM) to develop a program for determining whether physical documents\ncontaining IIF are adequately secured.\n\nOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\nRecommendation 4: Review all PIAs posted on the FDIC\xe2\x80\x99s public Web site to\ndetermine whether they disclose all types of IIF used by the application and\nsufficiently describe the FDIC\xe2\x80\x99s use of IIF consistent with OMB policy and section\n208 of the E-Government Act of 2002.\n\nCPO Response: The CPO concurred with the recommendation. The CPO stated that the\nrecommended actions are part of the FDIC\xe2\x80\x99s standard, ongoing processes. However, the\nCPO will perform a review of all currently posted PIAs to ensure that they adequately\ndisclose all types of IIF used by the application and sufficiently describe the FDIC\xe2\x80\x99s use\nof IIF consistent with OMB policy and section 508 of the E-Government Act of 2002.\nThe review will be completed, and any necessary corrections made, by March 15, 2007.\n\nOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\nRecommendation 5: Enhance current processes for preparing and publicly posting\nPIAs to ensure that new PIAs adequately describe the FDIC\xe2\x80\x99s collection and use of\nIIF consistent with OMB policy and section 208 of the E-Government Act of 2002.\n\nCPO Response: The CPO concurred with the recommendation. The CPO stated that the\nrecommended actions are part of the FDIC\xe2\x80\x99s standard, ongoing processes. However, the\nCPO will review current PIA posting processes to ensure that new PIAs adequately\ndescribe the FDIC\xe2\x80\x99s collection and use of IIF consistent with OMB policy and section\n208 of the E-Government Act of 2002. The review will be completed, and any required\nadjustments made, by March 15, 2007.\n\n\n\n\n                                        II-2\n\x0cOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\nRecommendation 6: Enhance the FDIC\xe2\x80\x99s SDLC processes to fully address privacy\nconsiderations.\n\nCPO Response: The CPO concurred with the recommendation. The CPO stated that the\nFDIC\xe2\x80\x99s RUP\xc2\xae SDLC addresses privacy considerations through the ASA, which\ndetermines whether IIF is in an application undergoing design. If IIF is present, a PIA is\nrequired. The CPO indicated that the PIA is used throughout the life cycle of a project,\nincluding during the development of requirements and performance of risk assessments\nand security testing and evaluation. However, the CPO recognizes that development\nteams may benefit from additional resources to ensure full attention to privacy issues.\nAccordingly, the CPO will add privacy roles and responsibilities to the intersecting\norganizations\xe2\x80\x99 portion of the FDIC\xe2\x80\x99s SDLC process by June 15, 2007.\n\nOIG Evaluation of Response: The CPO\xe2\x80\x99s response satisfies the intent of the\nrecommendation. The recommendation will remain open until we have determined that\nagreed-to corrective action has been completed and is effective.\n\n\n\n\n                                        II-3\n\x0cCORPORATION COMMENTS\n\n\n\n\n       II-4\n\x0cII-5\n\x0cII-6\n\x0cII-7\n\x0c                                          MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\n       This table presents management\xe2\x80\x99s responses to the recommendations in our report and the status of the recommendations as of the date\n       of report issuance.\n\n                                                                                                                   Open\n                                                                                                              a\n        Rec.                                                             Expected         Monetary   Resolved:      or\n       Number     Corrective Action: Taken or Planned/Status          Completion Date     Benefits   Yes or No    Closedb\n                 The CPO will enhance the existing program\n                 plan to formally document and describe the\n                 Corporation\xe2\x80\x99s privacy program goals and\n          1                                                           December 15, 2007     N/A         Yes        Open\n                 objectives, performance measures, organization\n                 and relationships of key initiatives, training and\n                 awareness strategy, and methods for reporting.\n                 The CPO will develop a plan for implementing\n          2      additional control measures for safeguarding           July 15, 2007       N/A         Yes        Open\nII-8\n\n\n\n\n                 IIF.\n                 The CPO will (a) complete planned privacy\n                 briefings to DSC and DRR, (b) place additional\n                 emphasis on physically safeguarding IIF during\n                 CIO Council and ISM meetings, (c) promote\n          3                                                           November 30, 2007     N/A         Yes        Open\n                 awareness through the FDIC newsletter, and\n                 (d) work with OERM to develop a program for\n                 determining whether physical documents\n                 containing IIF are adequately secured.\n                 The CPO will review all posted PIAs to ensure\n                 that they adequately disclose all types of IIF\n          4                                                            March 15, 2007       N/A         Yes        Open\n                 used by the application and sufficiently describe\n                 the FDIC\xe2\x80\x99s use of IIF.\n                 The CPO will review the FDIC\xe2\x80\x99s PIA posting\n                 process to ensure that new PIAs adequately\n          5                                                            March 15, 2007       N/A         Yes        Open\n                 describe the FDIC\xe2\x80\x99s collection and use of IIF.\n\x0c                     The CPO will add privacy roles and\n                     responsibilities to the intersecting organizations\xe2\x80\x99\n             6                                                                 June 15, 2007             N/A            Yes              Open\n                     portion of the SDLC process.\n\n       a\n           Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                      (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                      (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                          as management provides an amount.\n       b\n           Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\nII-9\n\x0c"